Cyber SecurityData Privacy Legislations

Complying With California’s Privacy Protection Laws: CalOPPA and CCPA

California’s gigantic role in the online consumer world makes its privacy protection regulations, CalOPPA and CCPA, a must-comply-to for any business. Learn what these legislation cover and how to work towards compliance.

Feature Image

The California Online Privacy Protection act released back in 2003 protects the privacy rights of California’s residents. This legislation, commonly called CalOPPA, seeks focuses on personally-identifiable information (PII). Meaning, all of a person’s digital information that can be traced back to identify its owner.

CalOPPA is arguably the broadest privacy law in the United States, which has no embracing Federal law on the subject. Furthermore, its reach impacts well beyond the state’s borders! Virtually all organizations must comply due to the probability of use by a California resident. Specially those with websites, and apps.

When did CalOPPA Begin and What is its Reach?

CalOPPA came into effect in 2004, as the first U.S law requiring websites and online services to display Privacy Policies. Its reach was further extended in 2012 by the California Attorney General’s Office, which applied it to mobile applications that collect PII as well.

The law was revisited in 2013 to tackle the unregulated area of online tracking. This change prompted organizations to disclose the tracking and collection of PII of those who navigate their websites and services. Also, they must explain how Do Not Track requests are handled.

Why is CalOPPA’s reach so broad? Well, California has the largest economy of any state in the United States, by far. It even compares with the U.K.’s GDP in the global ranking of top economies. Considering both local and foreign companies must comply with it… We can say it is the primary force for consumer privacy in America.

What’s more, CalOPPA just might be the foundation that the Federal government may build upon for future national privacy laws.

Complying With CalOPPA

CalOPPA brings few requirements to the table. However updates are frequent and it soon will grow its reach. It all began with clear Privacy Policies and CalOPPA’s own terms. The risk? Civil litigation under the state’s Unfair Competition Law.

Soon, its approach will change to extend the user’s right to have power over its data. This is similar to those provided by sibling laws, like the Eueropean General Data Protection Regulation (GDPR).

Have a Clear and Accessible Privacy Policy

So how do you comply with the base requirements of CalOPPA? Start with a clear Privacy Policy, easily accesible. Go for the standard “PRIVACY POLICY” link on the footer, menu, and/or app download page. Furthermore, you must ensure it contains the following:

Details on the personally identifiable information collected, and how that data is used.
Information on any third parties who your organizations shares PII with.
Proper instructions on how a consumer can review and request changes to their collected PII.
Details on how you respond to online tracking signals and Do Not Track Requests.
The effective date of the privacy policy.
An overview of how consumers will be notified of material changes to the privacy policy.

Above all things, consult with a legal expert before publishing your Privacy Policy and ask about any additional requirement that might be specific to your industry. For example, it is important to disclose how third-party partners you interact with handle their privacy policies. View Prey’s privacy policies for an example of this

The California Consumer Privacy Act, due in 2020

California recently passed another new privacy law in June 2018, the California Consumer Privacy Act (CCPA). This will take effect January 1, 2020, and it will extend CalOPPA to grant users more control over their data.

The CCPA was born from an activist group’s proposal.

If a business falls within CCPA’s scope, it must comply with Privacy Policies that includes specific “Do Not Sell my Personal Information” notification link, and update their policies yearly.

Compliance with CCPA is more rigorous, but applies to a much smaller number of organizations. However, it provides a new set of core rights to users subject to data collection. Similar to GDPR’s set of user rights, CCPA provides:

  1. The right to KNOW what personal information is collected. With clear disclosure to consumers of the specific pieces of personal data collected, sold, or disclosed (and to whom).
  2. The right to SAY NO to the sale of that personal information. Requiring businesses to stop selling a consumer’s information on request. Plus, a stronger, full opt-in for children, rather than an opt-out option.
  3. The right to DELETION. Mandating that under certain conditions, businesses must provide access and deletion rights for certain information collected.
  4. The right to NON-DISCRIMINATION. Ensuring that businesses provide equal service and price to those who have exercised these privacy rights.

As for the “Do Not Sell My Personal Information” page, it should provide consumers a way to notify they do not agree to the sale of their personal information.


Complying with California’s data privacy regulations will not pose much of a problem, they are basically a consensual standard! However, the arrival of CCPA will bring a glimpse of Europe’s strategy with GDPR to the United States.

So, if you’re already prepping up for CCPA, you can tackle two birds with one stone and do GDPR too! Here’s a checklist of its key requirements to help you do so. They share many similarities in the user rights section.

For additional information and guidance on complying with CalOPPA, CCPA and California data privacy laws, visit the California Attorney General’s webpage on privacy and protection. What’s more the AG’s provides links to major privacy protection laws at both State and Federal level.

About the author

Nicolas Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.